Judge David S. Cunningham, Case Number: 23STCV22220, Date: 2025-01-06 Tentative Ruling

Judge: David S. Cunningham, Case: 23STCV22220, Date: 2025-01-06 Tentative Ruling

This is a putative class action. Plaintiff alleges that she and the putative class were harmed by a data breach of Defendant’s computer network:

1. With this action, Plaintiff seeks to hold Defendant responsible for the harms caused to Plaintiff and other similarly situated persons (“Class” or “Class Members” or “Breach Victims”) in a massive and preventable data breach of Defendant’s inadequately protected computer network.

2. Following an investigation, which concluded on August 7, 2023, Defendant determined that cybercriminals gained unauthorized access to its systems between March 14, 2022 and March 18, 2022 (the “Data Breach” or “Breach”). This unauthorized user(s) accessed inadequately protected electronic systems of Defendant and stole the sensitive personal information (“Personal Information”), including names, dates of births, Social Security numbers, and medical treatment information of Plaintiff and Breach Victims

3. In short, thanks to Defendant’s failure to protect the Breach Victims’ Personal Information, cybercriminals were able to steal everything they could possibly need to commit nearly every conceivable form of identity theft and wreak havoc on the financial and personal lives of potentially millions of individuals.

5. Defendant’s conduct – failing to implement adequate and reasonable measures to ensure their electronic systems were protected, failing to take adequate steps to prevent and stop the breach, and failing to timely detect the breach, failing to disclose the material facts that they did not have adequate electronic systems and security practices to safeguard the Personal Information, failing to honor their duty to protect the Breach Victims’ Personal Identities, and failing to provide timely and adequate notice of the Data Breach – caused substantial harm and injuries to Plaintiff and the Class.

6. As a result of the Data Brach, Plaintiff and the Class have suffered damages. For example, Plaintiff has experienced a flood of spam telephone calls from unknown persons since the Data Breach. Now that their Personal Information has been hacked, Plaintiff and Class Members are at imminent risk of identity theft. And this will continue, as they must spend their time being extra vigilant, due to Defendant’s failures, to try to prevent being victimized for the rest of their lives.

7. Plaintiff brings this class action lawsuit on behalf of a nationwide and statewide class to hold Defendant responsible for its negligent and reckless failure to use reasonable, current cybersecurity measures to protect class members’ Personal Information.

8. Because Defendant presented such a soft target to cybercriminals, Plaintiff and Class Members have already been subjected to violations of their privacy, fraud, and identity theft, or have been exposed to a heightened and imminent risk of fraud and identity theft. Plaintiff and Class Members must now and in the future, spend time to monitor their credit reports, financial accounts, phone lists, and online accounts more closely to guard against identity theft.

9. Plaintiff and Class Members may also incur out-of-pocket costs for, among other things, purchasing credit monitoring services, credit freezes, credit reports, or other protective measures to deter and detect identify theft.

10. On behalf of herself and the Class, Plaintiff seeks actual damages, statutory damages, and punitive damages, with attorney fees, costs, and expenses under negligence, negligence per se, breach of fiduciary duties, breach of confidence, breach of implied contract, and invasion of privacy. Plaintiff also seeks injunctive relief, including significant improvements to Defendant’s data security systems, future annual audits, and long-term credit monitoring services funded by Defendant, and other remedies as the Court sees fit.

When considering demurrers, courts read the allegations liberally and in context, and “treat the demurrer as admitting all material facts properly pleaded, but not contentions, deductions or conclusions of fact or law.” (Serrano v. Priest (1971) 5 Cal.3d 584, 591.) “A demurrer tests the pleadings alone and not the evidence or other extrinsic matters. Therefore, it lies only where the defects appear on the face of the pleading or are judicially noticed.” (Hahn v. Mirda (2007) 147 Cal.App.4th 740, 747.) It is error “to sustain a demurrer without leave to amend if the plaintiff shows there is a reasonable possibility any defect identified by the defendant can be cured by amendment.” (Aubry v. Tri-City Hospital Dist. (1992) 2 Cal.4th 962, 967.)

The FAC contains causes of action for negligence, breach of confidence, and invasion of privacy.

“The elements of any negligence cause of action are duty, breach of duty, proximate cause, and damages.” (Peredia v. HR Mobile Services, Inc. (2018) 25 Cal.App.5^th 680, 687.)

Undisputedly, the FAC states that cybercriminals hacked Defendant’s computer system and stole Plaintiff’s personal information and the class members’ personal information. (See, e.g., FAC, ¶¶ 1-3, 80-99.)

Defendant contends it did not owe a duty to protect against third-party criminal acts. (See Demurrer, pp. 2-3.)

Plaintiff argues that there was a special relationship between Plaintiff and Defendant and that the Rowland v. Christian (1968) 69 Cal.2d 108 factors compel acknowledgement of a duty. (See Opposition, pp. 7-10.)

* “as a general matter, there is no duty to act to protect others from conduct of third parties” (Reply, p. 2);

* an exception to the general rule “arises when the defendant ‘is in . . . a “special relationship” with either the victim or the person who created the harm’” (ibid.);

* Plaintiff fails to plead facts showing a special relationship (see id. at pp. 2-3);

* since Plaintiff fails to show a special relationship, the Rowland factors do not apply (see id. at p. 4); and,

* even assuming the Rowland factors apply, “they confirm that no duty should be imposed in this case.” (Ibid.; see also id. at p. 5.)

The California Supreme Court has “explained that the law imposes a general duty of care on a defendant only when it is the defendant who has ‘“created a risk of harm”’ to the plaintiff, including when ‘“the defendant is responsible for making the plaintiff’s position worse.”’” (Brown v. USA Taekwondo (2021) 11 Cal.5^th 204, 214.) “The law does not impose the same duty on a defendant who did not contribute to the risk that the plaintiff would suffer the harm alleged.” (Ibid.) “Generally, the ‘person who has not created a peril is not liable in tort merely for failure to take affirmative action to assist or protect another’ from that peril.” (Ibid.) “For example, a person who stumbles upon someone drowning generally has no legal duty to help the victim.” (Ibid.) “The same rule applies to a person who stumbles upon a mugging, for ‘as a general matter, there is no duty to act to protect others from the conduct of third parties.’” (Ibid.)

“This general rule . . . ‘derives from the common law’s distinction between misfeasance and nonfeasance, and its reluctance to impose liability for the latter.’” (Ibid.) “That distinction has deep roots in the law.” (Ibid.) “And although it may sometimes produce outcomes that appear ‘[m]orally questionable’ [citation], there are several reasons the no-duty-to-protect rule has endured.” (Id. at 215.) “The most commonly cited reason for the rule is rooted in ‘the liberal tradition of individual freedom and autonomy’ – the idea that a person should be able to freely choose whether to come to the aid of a stranger, without fear of incurring legal liability for the choice.” (Ibid.) “But [] cases have recognized other reasons as well, including ‘“the difficulties of setting any standards of unselfish service to fellow men,”’ and the challenge of ‘“making any workable rule to cover possible situations where fifty people might fail to rescue.”’” (Ibid.)

“The no-duty-to-protect rule is not absolute, however;” the Supreme Court “has recognized a number of exceptions.” (Ibid.) “Under some circumstances, a defendant may have an affirmative duty to protect the plaintiff from harm at the hands of a third party, even though the risk of harm is not of the defendant's own making.” (Ibid.) “For example, if a person does choose to ‘undertake[ ] to come to the aid of another,’ she may then have an affirmative duty to exercise reasonable care in that undertaking.” (Ibid.) Also, relevant here, “a person may have an affirmative duty to protect the victim of another’s harm if that person is in what the law calls a ‘special relationship’ with either the victim or the person who created the harm.” (Ibid.)

“A special relationship between the defendant and the victim is one that ‘gives the victim a right to expect’ protection from the defendant, while a special relationship between the defendant and the dangerous third party is one that ‘entails an ability to control [the third party’s] conduct.’” (Id. at 216.) “Relationships between parents and children, colleges and students, employers and employees, common carriers and passengers, and innkeepers and guests, are all examples of special relationships that give rise to an affirmative duty to protect.” (Ibid.) “The existence of such a special relationship puts the defendant in a unique position to protect the plaintiff from injury.” (Ibid.) “The law requires the defendant to use this position accordingly.” (Ibid.)

“Where the defendant has neither performed an act that increases the risk of injury to the plaintiff nor sits in a relation to the parties that creates an affirmative duty to protect the plaintiff from harm, however,” case law “uniformly [holds that] the defendant owes no legal duty[.]” (Ibid.)

Given these rules, the Court agrees with Defendant. Plaintiff proposes “two bases for finding a special relationship.” (Reply, p. 3.) First, Plaintiff claims Defendant qualifies as her former employer’s agent because Defendant is representing the former employer in a wrongful-termination lawsuit that Plaintiff filed against the former employer. (See Opposition, p. 8; see also FAC, ¶¶ 26-27.)[1] Plaintiff asserts that an employer-employee relationship constitutes a special relationship and that it extends to agents. (See Opposition, p. 8; see also Reply, p. 3). Second, Plaintiff contends a special relationship is generated when a law firm receives personal information about a person during litigation. (See Opposition, p. 9; see also Reply, p. 3.) The FAC does not allege either theory. (See FAC, ¶ 91 [merely stating, conclusively, that “Defendant had a special relationship with Plaintiff and the Class”].) More importantly, Plaintiff cites distinguishable authorities in support of the first theory and no authority in support of the second. (See Opposition, pp. 8-9.) Kirsten v. California Pizza Kitchen, Inc. (C.D. Cal. July 29, 2022, No. 2:21-CV-09578-DOC-KES) 2022 WL 16894503, Castillo v. Seagate Technology, LLC (N.D. Cal. Sept. 14, 2016, No. 16-cv-01958-RS) 2016 WL 9280242, and Corona v. Sony Pictures Entertainment, Inc. (C.D. Cal. June 15, 2015, No. 14–CV–09600 RGK (Ex)) 2015 WL 3916744 are employee-versus-employer cases. Stasi v. Immediata Health Group Corp. (2020) 501 F.Supp.3d 898 involved medical patients suing a billing provider. None of them recognizes a special relationship between an employee and opposing counsel arising from a wrongful-termination action in which the defendant is the opposing counsel’s client. Plaintiff’s authorities do not stretch the special-relationship analysis this far and do not confront the distinct policy considerations and professional responsibilities related to the attorney-client relationship, especially where the complainant is suing the attorney’s client. Consequently, the Court:

* finds that Plaintiff fails to demonstrate a duty because she fails to demonstrate a special relationship; and

The Rowland factors do not change the result. “Rowland was not designed as a freestanding means of establishing a duty, but instead as a means for deciding whether to limit a duty derived from other sources.” (Brown, supra, 11 Cal.5^th at 217, underlining of case name added.) “[T]he Rowland factors do not serve as an alternative basis for imposing duties to protect.” (Id. at 221, underlining of case name added.) “The purpose of the Rowland factors is to determine whether the relevant circumstances warrant limiting a duty already established, not to recognize legal duties in new contexts.” (Ibid., underlining of case name added.) Bottom line, Plaintiff cannot use the Rowland factors, independently, to devise a duty if there is no special relationship. (See ibid.; see also Reply, p. 4.)

Defendant also argues that the FAC fails to allege an injury. (See Demurrer, pp. 4-7; see also Reply, pp. 5-8.)

As a matter of guidance, though, the Court tends to disagree. The emerging trend is to treat loss of value of personal information as an injury. This Court held as much in a case called Doe v. Adobe, Inc. (23STCV11136). There, the Court found that loss of value could suffice as long as the plaintiff amended to allege facts satisfying Moore v. Centrelake Medical Group, Inc. (2022) 83 Cal.App.5^th 515. (See Adobe 3/18/24 Ruling Re: Demurrer and Motion to Strike; see also Adobe 9/19/24 Ruling Re: Demurrer and Motion to Strike Re: First Amended Complaint.) If there were a special relationship, the Court would be inclined to give Plaintiff a chance to do the same here.

To prevail on a claim for breach of confidence under California law, a plaintiff must demonstrate that: (1) the plaintiff conveyed ‘confidential and novel information’ to the defendant; (2) the defendant had knowledge that the information was being disclosed in confidence; (3) there was an understanding between the defendant and the plaintiff that the confidence be maintained; and (4) there was a disclosure or use in violation of the understanding.

Defendant claims the demurrer should be sustained because “California protects novel ideas, not personal information,” and Defendant did not intentionally disclose the information. (Reply, p. 9; see also Demurrer, pp. 7-8 [additionally arguing that Plaintiff does not allege an injury].)

Breach of confidence is a tort “based upon the concept of an implied obligation or contract between the parties that confidential information will not be disclosed." [Citation.] Plaintiff was a part[y] to litigation in which Defendant represented the opposing party. Through litigation Plaintiff was required to share their [personal information] with Defendant. Plaintiffs, as any litigant does, anticipated that the lawyers involved in litigation will safeguard the [personal information] which parties were obliged to divulge. Moreover, there is no question of fact regarding whether this sensitive [personal information] was disclosed, as Defendant already admits in its data breach notice. Lastly, as Plaintiff has extensively explained above, Plaintiff has alleged several theories of cognizable harm that resulted directly from Defendant’s failure to safeguard Plaintiff’s [personal information] and timely notify them of their data being breached. As such, the Court must deny Defendant’s Motion to Dismiss as to Plaintiff’ Breach of Confidence Cause of Action.

The Court agrees with Defendant. Plaintiff’s response is unsupported. She does not cite case law or specific allegations in the FAC. If nothing else, the fourth element is unsatisfied. “California courts have found that the ‘ordinary meaning’ of the word ‘disclosure’ ‘suggest[s] that disclosure occurs when’” the defendant “affirmatively shares” the personal information “with another person or entity.” (In re Ambry Genetics Data Breach Litigation (C.D. Cal. 2021) 567 F.Supp.3d 1130, 1146.) “Plaintiff[] does not allege that Defendant[] affirmatively shared any information or performed any act that gave hackers information.” (Id. at 1147.) She alleges the opposite – unauthorized access and theft (see FAC, ¶ 2) – so the demurrer is sustained without leave to amend.

“An actionable claim requires three essential elements: (1) the claimant must possess a legally protected privacy interest [citation]; (2) the claimant's expectation of privacy must be objectively reasonable [citation]; and (3) the invasion of privacy complained of must be serious in both its nature and scope [citation].” (Medical Board of California v. Chiarottino (2014) 225 Cal.App.4^th 623, 631.)

The Court sustains without leave to amend. Again, the FAC alleges that third-party cybercriminals cyberattacked Defendant. Plaintiff fails to cite a case upholding an invasion-of-privacy claim relative to a third-party cyberattack. (See Opposition, p. 16; cf. Schmitt v. SN Servicing Corp. (N.D. Cal. Nov. 12, 2021, No. 21-cv-03355-WHO) 2021 WL 5279822 [dismissing invasion-of-privacy claim because the personal information had been obtained via third-party hacking].) She also does not allege intentional conduct by Defendant or actual public disclosures. (See FAC, ¶¶ 114-115, 120 [only alleging disclosure to the third-party cybercriminals by theft and vaguely stating that the personal information “is now available for disclosure and redisclosure”], emphasis added; see also Demurrer, pp. 8-10; Reply, pp. 9-10.)

[1] The wrongful-termination case is Booker v. Charter Communications, LLC (20STCV07680).

[2] Defendant is not the former employer’s agent in the employment context. At most, it is an agent in the litigation context where Plaintiff is litigating against Defendant’s client.